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Abstract.  The  most  natural,  compositional  way  of  modeling  real¬ 
time  systems  uses  a  dense  domain  for  time.  The  satisfiability  of  real¬ 
time  constraints  that  are  capable  of  expressing  punctuality  in  this 
model  is,  however,  known  to  be  undecidable. 

We  introduce  a  temporal  language  that  can  constrain  the  time  dif¬ 
ference  between  events  only  with  finite  (yet  arbitrary)  precision  and 
show  the  resulting  logic  to  be  EXPSPACi^complete.  This  result  allows 
ns  to  develop  an  algorithm  for  the  verification  of  timing  properties  of 
real-time  systems  with  a  dense  semantics. 


1  Introduction 

The  formal  study  of  reactive  systems  has  led  recently  to  a  number  of  sug¬ 
gestions  of  how  real-time  requirements  of  such  systems  ought  to  be  mod¬ 
eled,  specified,  and  verified.  Most  of  these  approaches  are  situated  at  either 
extreme  of  the  trade-off  between  realistic  modeling  of  time  and  feasible  ver¬ 
ification  of  timing  properties.  Typically,  they  cither  use  a  continuous  model 
of  time  at  the  expense  of  decidability  [ACD90,  Koy90,  Lew90],  or  they  sacri¬ 
fice  continuity  to  obtain  decision  procedures  [JM86,  AH89,  AH90,  EMSS89, 
HLP90,  Ost90].  This  paper  shows  how  a  slight  relaxation  of  the  notion  of 
pimctuality  allows  us  to  combine  the  best  of  both  worlds. 

*An  abbreviated  version  of  this  paper  appears  in  the  proceedings  of  the  Tenth  Annual 
ACM  Sympoiium  on  Principles  of  Distrihutei  Computing  (1991). 

^This  researdi  was  supported  in  part  by  an  IBM  graduate  feQovrship,  by  the  National 
Science  Foundation  granU  CCR-89-11512,  CCR-89-13641,  and  MlP-88-588807,  by  the 
Defense  Advanced  Research  Projects  Agency  under  contract  N000S9-84-C-0211,  and  by 
the  United  States  Air  Force  Office  of  Scientific  Research  under  contract  AFOSR-90-00S7. 

’Department  of  Computer  Sdence,  Stanford  University,  Stanford,  CA  94805. 

’Bell  Communications  Researdi,  Morristown,  NJ  07962. 
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Let  us  be  more  specific.  The  lineax  (trace)  semantics  of  a  reactive  system 
is  defined  as  a  set  of  possible  behaviors,  each  of  which  is  represented  by 
a  sequence  of  system  states.  This  model  is  most  naturally  extended  to 
incorporate  real  time  by  associating,  with  every  state,  an  interval  of  the  real 
line,  which  indicates  the  period  of  time  during  which  the  system  is  in  that 
state.  That  is,  we  represent  the  possible  behaviors  of  a  real-time  system  by 
timed  state  sequences. 

Alas,  even  the  satisfiability  of  a  very  simple  class  of  real-time  properties 
turns  out  to  be  undecidable  in  this  model  [AH89].  An  inspection  of  the 
proof  shows  that  the  only  timing  constraints  required  are  of  the  form 

0(p  -*  0=B?),  (t) 

predicting  that  every  p-state  is  followed  by  a  g-state  precisely  5  time  units 
later. 

This  negative  result  has  led  us,  at  first,  to  weaken  the  expressiveness  of 
the  model  by  adopting  the  semantic  abstraction  that,  at  every  state  change, 
we  may  record  only  a  discrete  approximation  —  the  number  of  ticks  of  a 
digital  clock  —  to  the  real  time.  Thus  we  have  interpreted  the  formula  (f)  to 
require  only  that  the  p-state  and  the  corresponding  ^-state  are  separated  by 
exactly  5  clock  ticks;  their  actual  difference  in  time  may  be  as  much  as  (say) 
5.9  time  units  or  as  small  as  4.1  time  units.  We  have  shown  that  several 
interesting  real-time  logics  are  decidable  under  this  weaker,  digital-clock^ 
interpretation  [AH89,  AH90]. 

In  this  paper  we  pursue  an  alternative,  syntactic,  concession.  Instead 
of  digitizing  the  meaning  of  a  sentence,  we  prohibit  timing  constraints  that 
predict  the  time  difierence  between  two  states  with  infinite  accuracy.  In 
particular,  we  may  not  state  the  property  given  above,  but  only  an  approx¬ 
imation  such  as 

□  (p  0(4.9^64) g), 

requiring  that  the  p-state  and  the  corresponding  g-state  are  separated  by 
more  than  4.9  time  units  and  less  than  5.1  time  units. 

We  define  a  language  that  can  constrain  the  time  difference  between 
events  only  with  finite  (yet  arbitrary)  precision.  The  resulting  metric  inters 
val  temporal  logic  MITL  is  shown  to  be  decidable  in  EXPSPACE.  Further¬ 
more,  we  show  how  to  verify  a  real-time  system  with  respect  to  a  specifica¬ 
tion  in  MITL. 

Properties  of  timed  state  sequences  can,  alternatively,  be  defined  by 
timed  automata  [AD90].  While  the  emptiness  problem  for  these  automata 


is  solvable,  they  are  not  closed  under  complement.  MITL  identifies  a  frag¬ 
ment  of  the  properties  definable  by  timed  automata  that  is  closed  under  all 
boolean  operations.  Thus  the  novelty  of  our  results  is  that  they  give  a  logical 
formalism  with  a  continuoxis  interpretation  of  time  that  is  suitable  for  the 
automatic  verification  and  synthesis  of  finite-state  real-time  systems. 

Both  the  semantic  abstraction  of  digitizing  models  as  well  as  the  syntac¬ 
tic  restriction  of  excluding  equality  in  timing  constraints  limit  the  real-time 
properties  that  are  definable  in  a  similar  way:  they  rule  out  the  notion  of 
absolute  punctuality  and  replace  it  by  a  looser  concept  of  oimost-on-time 
behavior.  This  sacrifice  is  viable  because,  by  choosing  the  clock  tick  of  the 
digital  clock  small  enough,  we  can  still  achieve  arbitrary  precision  in  ei¬ 
ther  approach;  moreover,  the  corresponding  costs  for  achieving  the  desired 
accuracy  are  the  same. 

Yet  the  introduction  of  a  mandatorj-  slack  through  the  syntax  (rather 
than  through  the  semantics)  turns  out  to  be  the  more  powerful  technique: 
we  show  that  the  properties  of  timed  state  sequences  that  can  be  defined 
in  MITL  are  a  proper  superset  of  those  definable  with  equality  under  a 
digital-clock  interpretation.  Also,  many  of  the  practically  interesting  forms 
of  ptmctuality  are  still  expressible  in  MITL,  such  as  the  requirement  that 
every  p-state  is  separated  from  the  closest  subsequent  9-state  by  precisely  5 
time  units. 

The  remainder  of  the  paper  is  organized  in  four  parts.  In  Section  2,  we 
introduce  and  motivate  the  logic  MITL,  and  show  it  to  be  more  expressive 
than  digitization.  In  Section  3,  we  introduce  a  variant  of  timed  automata 
as  a  model  for  finite-state  real-time  systems.  In  Section  4,  we  reduce  the 
decision  problem  for  MITL  to  the  emptiness  problem  of  timed  automata. 
In  the  concluding  section,  we  show  how  the  results  of  this  paper  lead  to 
an  algorithm  that  verifies  MITL- specifications  of  real-time  systems  that  are 
given  as  timed  automata. 

We  remark  that  in  this  paper  we  introduce  MITL  with  future  temporal 
operators  only.  All  of  our  results,  in  particular  EXPSPACE-completeness, 
generalize  to  MITL  with  both  future  and  past  temporal  operators. 

2  Metric  Interval  Temporal  Logic 

We  define  timed  st&te  sequences  as  formal  models  of  real-time  behavior. 
Then  we  introduce  a  temporal  language  to  define  properties  of  timed  state 
sequences  and  study  its  expressive  power. 
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2.1  Intervals  and  interval  sequences 

An  inten'al  is  a  convex  subset  of  the  nonnegative  real  numbers  R"**.  Intervals 
may  be  open,  halfopen,  or  closed;  botinded  or  unbounded.  More  precisely, 
each  inter\al  is  of  one  of  the  following  forms:  [a,  t],  [a,  6),  [a,  oo),  (a,  6],  (a,  6), 
(a,oo),  where  a  <  b  and  a,  6  €  R“^.  For  an  interval  1  of  the  above  form,  a 
is  its  left  end-point,  and  b  is  its  right  end-point;  the  left  end-point  of  I  is 
denoted  by  /(/)  and  the  right  end-point,  for  boimded  /,  is  denoted  by  r(/). 

An  interval  I  is  singular  iff  it  is  of  the  form  [a,  a];  that  is,  I  is  closed  and 
/(/)  =  r(/). 

Two  intervals  I  and  /'  are  adjacent  iff  (1)  either  /  is  right-open  and  V  is 
left-closed,  or  I  is  right-closed  and  /'  is  left-open,  and  (2)  r(/)  =  /(/').  For 
instance,  the  intervals  (1,2]  and  (2,2.5)  are  adjacent. 

An  interval  sequence  r  =  I0I1I2I3 ...  is  a  finite  or  infinite  sequence  of 
interv’als  that  partitions  R”**: 

1.  Any  two  neighboring  intervals  li  and  are  adjacent. 

2.  For  all  t  there  is  some  interval  Jj  with  t  €  !%• 

In  particular,  Jo  is  left-closed  and  l{Io)  =  0;  if  r  is  finite,  then  its  last  interval 
must  be  unbounded. 

We  will  freely  use  intuitive  pseudo-arithmetic  expressions  to  denote  in- 
ter^-als.  For  example,  the  expressions  <  b  and  >  c  stand  for  the  intervals  [0,  b] 
and  (a,  00),  respectively;  by  <  /  we  denote  the  interval  0  <  t'  <  <  for  all 
tel}-  The  expression  t  -f  /,  where  7  is  an  interval  and  t  €  R***,  denotes  the 
interval  {t  -f  t'  1 1'  €  /};  similarly,  the  expressions  I  and  tl  stand  for  the 
intervals  {t'  -  t  ]  t'  €  7  and  t*  >  f}  and  {tt*  [  t'  6  7},  respectively. 

2.2  Timed  state  sequences 

Let  P  be  a  finite  set  of  atomic  propositions.  We  assume  that,  at  any  point 
in  time,  the  global  state  of  a  (finite-state)  system  can  be  modeled  by  an  in¬ 
terpretation  (or  truth-value  assignment)  for  P.  We  therefore  identify  states 
s  with  subsets  of  P;  that  is,  s  [=  p  iff  p  €  s  (for  p  €  P). 

A  behavior  of  a  discrete  system  over  time  can,  consequently,  be  modeled 
by  a  finite  or  infinite  sequence 

p:  (so,7o)  (^2i^i)  ••• 
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of  states  Si  G  2^  and  corresponding  time  intervals  /»  C  R"*".  A  timed  state 
sequence  p  =  t)  consists  of  a  sequence  cr  :  S0S1S2  ...  of  states  and  an 
interval  sequence  r :  lohh  ...  of  the  same  length. 

A  timed  state  sequence  p  =  (cr,r)  can  be  viewed  as  a  map  p"  from  the 
time  domeiin  R"**  to  the  states  2^  (let  p*{t)  =  Si  if  t  £  /j).  Thus  a  timed 
state  sequence  provides  complete  information  about  the  global  state  of  a 
system  at  each  time  instant:  at  time  t  £  /,*,  the  system  is  in  state  p"(f)  =  Sj, 
Timed  state  sequences  obey  the  finite-variability  condition:  between  any  two 
points  in  time  there  are  only  finitely  many  state  changes.  This  assumption 
is  adequate  for  modeling  discrete  systems. 

Given  a  timed  state  sequence  the  i-th  transition  point,  denoted 

by  is  defined  to  be  the  left  end-point  of  the  interval  7^;  that  is,  U  =  /{/,). 
Note  that  the  state  at  time  U  is  if  is  left-open,  and  is  Sj  if  is 
left-closed. 

Our  definition  allows  transient  states,  which  occur  only  a  single  point  in 
time.  If  7i  is  a  singular  interval  [t^ ,  t|],  then  the  state  at  time  U  is  Sj,  but  the 
state  just  before  t^  is  s^^i,  and  the  state  just  after  U  is  Sj+i.  Observe  that  in 
such  a  case  neither  Si^\  nor  St+i  can  be  transient,  because  the  interval 
must  be  right-open  and  the  interval  must  be  left-open.  Transient  states 
are  useful  for  modeling  the  truth  of  propositions  that  represent  instantaneous 
events  and,  thus,  are  true  only  at  isolated  points  in  time. 

We  will  also  need  the  concept  of  a  suffix  of  a  timed  state  sequence.  For 
e  timed  state  sequence  p  =  (<r,T)  and  time  i  £  /»,  let  />*  =  be  the 

timed  state  sequence  with  the  state  component  <7* : 
time  component 

r‘:  <)(/<+* -0  -- 

Note  that  the  suffix  operator  is  defined  such  that  == 

all  t'  €  R^.  In  particular,  p°  =  p. 

2.3  Syntax  and  semantics  of  MITL 

We  introduce  an  extension  of  linear  temporal  logic,  metric  interval  temporal 
logic  (or  MITL),  that  is  interpreted  over  timed  state  sequences.  A  standard 
way  of  adding  timing  requirements  to  temporal  languages  is  to  replace  the 
temporal  operators  with  time-constrained  versions,  such  as  the  constrained 
eventually  operator  0[2,4]  meaning  “eventually  within  2  to  4  time  units” 
[EMSS89,  AH90,  Koy90].  We  adopt  this  approach  for  MITL,  with  the  re¬ 
striction  that  operators  cannot  be  constrained  by  singular  time  intervals. 
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The  forxnidais  of  .\lITL  are  built  from  atomic  propositions  by  booleam 
connectives  and  time-constrained  versions  of  the  until  operator  W;  they  are 
defined  inductively  as  follows: 

^  p  I  I  A  ^  I  (i>\Ui<l>2y 

where  p  €  P  and  /  is  a  ncnsingular  interval  with  rational  end-points  (/  may 
be  unbotmded). 

The  formulas  of  MITL  are  interpreted  over  timed  state  sequences,  which 
provide  an  interpretation  for  the  atomic  propositions  at  each  time  instant. 
Informally,  the  formula  I4j  (f>2  holds  at  time  t  G  of  a  timed  state 
sequence  iff  there  is  a  later  time  instant  £  t  -f  7  such  that  <f>2  holds  at  time 
t'  and  holds  throughout  the  time  interval 

Given  an  MITL-formula  ^  and  a  timed  state  sequence  p  =  the 

satisfaction  relation  p  ^  is  defined  inductively  as  follows: 

p  1=  p  iff  p  € 
p  -10  iff  p  0. 
p|=0iA02  iff  pN^i 

p  [=  01 W/  02  iff  p*  h  02  for  some  t  6  7,  and  p*'  |=  0i  for  all 

t' 6(0,0. 

The  MITL-formula  0  is  satisfiable  {valid)  iff  p  ^  0  for  some  timed  state 
sequence  p  (all  timed  state  sequences  p,  respectively). 

Observe  that  the  logic  MITL  is  insensitive  to  stuttering.  Given  two  timed 
state  sequence  p  =  (<r,r)  and  p'  =  (<r',T')  such  that  p'  has  a  subsequence  of 
the  form 


{si-\yli^i)  “*♦  (stj7)  (sj,7)  — ♦  (ji-i.i , 7|^.i) 
and  7  U  7'  =  7*,  then  p*  =  p'“,  and  p  [=  0  iff  p'  [=  0  for  every  MITL-formula 

The  satisfaction  relation  has  another  desirable  property:  the  truth  value 
of  any  MITL-formula  does  not  change  more  than  u;  times  along  a  timed  state 
sequence.  Thus  timed  state  sequences  satisfy  the  finite- variability  condition 
not  only  with  respect  to  the  truth  of  atomic  propositions,  but  also  with 
respect  to  arbitrarily  complex  MITL-formulas.  The  following  lemma  states 
this  property  formally: 

Lemma  2.1  (Model  refinement)  Let  (f>  he  an  MLTL-formvla  and  p  = 
(cr,r)  5c  a  timed  state  sequence.  There  exists  an  interval  sequence  : 
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JoJ^i  •  *  •  5ucft  that  whenever  t  and  belong  to  the  same  interval  Ji,  we  have 
tj;  •iff  [=  Ip  for  each  subformula  tp  of  (p.  Moreover ^  if  all  interval 
end-points  m  r  are  rational  numbers,  then  so  are  all  interval  end-points  in 
r^. 

Proof  of  Lemma  2.1  Let  p  =  (o^,r).  The  proof  is  by  induction  on  the 
structure  of  (p.  For  an  atomic  proposition  p,  take  Tp  to  be  r.  For  a  negated 
formula  ->(p\  take  to  be  In  case  of  the  conjunction  (pi  A  ^2>  the 
interval  sequence  A(^  is  constructed  by  taking  the  intersection  of  the  two 
interval  sequences  and  . 

Now  let  us  consider  the  case  that  <p  has  the  form  <piUi(p2-  Let 
be  the  interval  sequence  Jo Ji  ...  We  construct  a  refinement  :  JqJ{  ...  of 
such  that  whenever  t  and  £'  are  in  the  same  interval  JI,  then  both  t 
and  t'  belong  to  the  same  interval  J*,  both  t  +  /(/)  and  t'  -f  /(/)  belong  to 
the  same  interval  Ji,  and,  if  7  is  bounded,  both  1 4*  r(J)  and  t'  -f  r(7)  belong 
to  the  same  interval  Jm,  for  some  k,l,m.  It  is  clear  that  such  a  sequence 
can  be  constructed  by  a  finite  splitting  of  each  interval  Ji  such  that,  if  the 
end-points  of  all  intervals  Ji  are  rational,  then  so  are  the  end-points  of  all 
intervals  J/.  Furthermore,  it  is  easy  to  check  that  p*  (=  0  ifi' p^'  |=  <p  whenever 
t  and  t'  are  in  the  same  inter\7d  J/.  ■ 

For  any  MITL-formula  we  say  that  the  timed  state  sequence  p  =  (<7,  r^) 
is  <p-fine.  Clearly,  <P  is  satisfiable  iff  it  has  a  ^fine  model. 

2.4  Defined  operators 

Now  let  us  introduce  some  standard  abbreviations  for  additional  temporal 
operators.  The  defined  operators  Oj(p  (constrained  eventually)  and  Ojcp 
(constrained  always)  stand  for  iruelti  <p  and  lO/  ^(p,  respectively.  It  follows 
that  the  formula  0/  (p  (or  O/  (p)  holds  at  time  t  G  of  a  timed  state 
sequence  iff  <p  holds  at  all  times  (at  some  time,  respectively)  within  the 
interval  t  -f  7. 

We  usually  suppress  the  interval  (0,  oo)  as  a  subscript.  Thus  the  MITL- 
operators  O,  □,  and  U  coincide  with  the  conventional  unconstrained  strict 
eventually,  strict  always,  and  strict  until  operators  of  temporal  logic.  This  is 
because  the  until  operator  of  MITL  is  implicitly  strict  in  its  first  argument. 
The  corresponding  non-strict  operators  are  definable  in  MITL  as  O[o,c5o) 
(also  written  O>o ),  D>o ,  and 

^  V  (^  A  <piU<p2) 
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for  <l>2  (f>i  (v^here  deno'^es  the  unconstrained  non-strict  until  operator). 
Note  that,  on  the  other  hand,  the  operator  Ui  cannot  be  defined  in  terms 
of  an  until  operator  that  is  not  strict  in  its  first  argument;  this  is  why  we 
have  chosen  the  strict  versions  of  temporal  operators  to  be  primitive. 

Using  these  abbreviations,  the  typical  bounded  response  property  that 
“every  j>-state  is  followed  by  a  5-state  within  5  time  units,”  can  be  expressed 
by  the  MTTL-formula 

^>o(p  ^(0,5]  ^)* 

We  also  define  a  constrained  unless  operator  as  the  dual  of  the  until 
operator: 

<f>ijU4>2  stands  for  -’((“’^2)^7 (^^1)). 

It  follows  that  the  formula  /U  ^2  holds  at  time  t  €  of  a  timed  state 
sequence  iff  either  is  true  throughout  the  interval  t  +  /,  or  there  is  a 
time  instant  t*  >  t  such  that  ^  is  true  at  time  t*  and  holds  at  all  instants 
t"  <  t'  within  the  interval  t  +  J.  Note  that  the  unconstrained  version  U  ^>2 
of  the  unless  operator  of  MITL  differs  slightly  from  the  conventional  strict 
unless  operator,  which  can  be  defined  as  <t>i  U  (0i  A  ^2)* 

We  can  apply  the  definition  of  the  unless  operator  to  move  negations 
through  until  operators.  Thus  we  may  obtain,  from  any  MITL-formula,  an 
equivalent  formula,  containing  both  until  and  unless  operators,  in  which  all 
negations  are  in  front  of  atomic  propositions. 

2.5  Avoiding  undecidability 

A  few  comments  on  our  choice  of  syntax  are  in  order.  First,  MITL  has  no 
next~tiri€  operator,  because  due  to  the  density  of  the  time  domain  there  is 
no  unique  next  time.  Also,  MITL  is,  S3mtactically  viewed,  essentially  the 
restriction  of  metric  temporal  logic  (MTL  [AH90])  that  prohibits  the  use  of 
equality  in  time  bounds.  For  exzimple,  in  MITL  we  cannot  directly  express 
the  punctuality  condition  that  “every  p- state  is  followed  by  a  5-state  after 
exactly  5  time  units,” 

□>o(p  0=5  ^)) 

because  the  singular  interval  [5,5]  is  not  allowed  as  a  subscript.  We  will 
show  that  there  is,  in  fact,  no  MITL-formula  that  expresses  this  condition, 
and  that  the  restriction  of  MITL  to  nonsingular  intervals  is  essential  for 
decidability. 
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Note  that  some  practically  important  forms  of  equality  are  expressible 
in  MITL;  we  define  <t>,  for  n  >  0,  as  an  abbreviation  for  the  MITL- 

formula  ^{o.n)  ^  ^(o,n]  Thus  the  stronger  condition  that  “for  every 

p-state  the  closest  subsequent  ^-state  is  after  exactly  5  time  units/' 

0>o(p 


is  expressible  in  MITL. 

Let  MITL=:  be  the  extension  of  MITL  that  admits  singular  intervals  as 
time  bounds  on  the  temporal  operators.  We  show  that  the  decision  problem 
of  MITL=  is  complete  for  the  complexity  class  IIj,  which  is  situated  in  the 
analytical  hierarchy  strictly  above  all  recursively  enumerable  sets  (see,  for 
example,  [Rog67]).  It  follows  that  MITL=:  is  not  even  axiomatizable. 

Theorem  2.1  (MITL  with  equality)  The  decision  problem  of  MITL=  is 
U\^complete. 

Proof  of  Theorem  2.1  [11 J -hardness]  The  decision  problem  for  dense 

MTL  is  nj -complete  [AH90].  A  close  inspection  of  the  proof  given  there 
reveals  that  that  only  one  operator  with  a  singular  subscript,  0=:n  for  any 
n  >  0,  is  used  to  demonstrate  11} -hardness. 

There  is,  however,  a  subtle  difference  between  the  dense  interpretations 
defined  in  [AH90]  and  timed  state  sequences:  a  dense  interpretation  con¬ 
sists  of  an  infinite  sequence  of  states  and  corresponding  time  irwtantj,  not 
intervals.  Consequently,  while  the  formula  Dj  false  (for  any  finite  nonempty 
inter^-al  /)  is  not  satisfiable  by  any  timed  sequence,  it  is  satisfiable  by  in¬ 
finitely  many  dense  interpretations  —  those  that  do  not  contain  any  states 
with  times  in  I. 

With  some  care  we  can  still  reduce  the  decision  problem  for  dense  MTL 
to  the  decision  problem  for  MITL  with  equality,  which  demonstrates  the  11}- 
hardness  of  the  latter  logic.  Let  r  be  a  proposition  that  is  true  in  infinitely 
many  transient  states  and  nowhere  else;  that  is, 

r  A  O>o(r  (-»r)Wr). 

It  is  not  hard  to  see  that  a  dense  MTL-formula  0  is  valid  iff  the  MITL- 
formula  d>r  0*  is  valid,  where  0*  is  obtained  from  0  by  replacing  every 
occurrence  of  a  subformula  0i  Uj  0j  with 

(r  0i)W/(r  A  02)* 
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[Containment  in  11}]  We  show  that  the  validity  of  a  formula  ^  of  MITL=r 
can  be  phrased  as  a  Hj-sentence,  asserting  that  all  timed  state  sequences 
are  models  of  From  Theorem  2.2  to  be  proved  shortly,  it  follows  that  if 
has  a  model,  then  it  has  a  model  m  ivhich  all  interval  end-points  arc  rational 
numbers  (i.e.,  a  rational  model).  Tlas  obs^Tvation  allows  us  to  assert  the 
validity  of  as  a  n}-sentcnce:  ^  is  valid  iff  p  ^  for  all  rational  models  p. 
It  is  routine  to  encode  a  rational  model  by  a  set  of  natural  numbers,  and  to 
express  the  satisfaction  relation  in  first-order  arithmetic.  ■ 

Another  possible  extension  of  the  syntax  of  MITL  is  to  permit  time 
boimds  on  6ot/i  arguments  of  the  Mntil  operator,  as  is  the  case  for  all  logics 
that  admit  explicit  references  to  time  in  atomic  formulas  (such  as  TPTL 
[AH89]).  The  intended  meaning  of  the  formula  ih  at  time  t  6  of 

a  timed  state  sequence  is  that  there  is  a  later  time  instant  €  t +  /  such  that 
^  holds  at  time  t'  and  holds  throughout  the  time  interval  (t  +  /')  0  [t,  t'j. 
Such  an  extension  leads,  however,  again  to  undecidability.  This  is  because 
the  role  of  0=n  ^  in  the  tmdccidability  argument  for  MITL-  can  be  replaced 
by  the  formula  false  >nU>n 

2.6  Real  versus  rational  time 

Having  justified  our  choice  of  syntax,  let  us  look  at  other  options  for  defining 
the  semantics  of  MITL.  'WTiile  timed  state  sequences  arc  defined  by  choosing 
the  set  of  (nonnegative)  reals  to  model  time,  for  interpreting  formulas  of 
MITL,  the  crucial  property  of  the  time  domain  R"**  is  not  its  continuity,  but 
only  its  denseness.  In  particular,  we  show  that  replacing  the  time  domain  R"^ 
with  the  noimegative  rational  numbers  when  defining  the  semantics  of 
MITL  does  not  change  the  satisfiability  (and  validity)  of  any  MITL-formula. 

We  call  a  timed  state  sequence  (<r,  r)  rational  iff  the  end-points  of  all 
intervals  in  r  axe  rational.  A  formula  ^  of  MITL=  is  said  to  be  Q--$aiisfiable 
iff  p  1=  ^  for  some  rational  timed  state  sequence  p,  where  the  satisfaction 
relation  ^  is  redefined  so  that  all  time  quantifiers  range  over  only. 

We  show  that  this  new  notion  of  satisfiability  is  the  same  as  the  old  one. 
In  other  words,  MITL-formulas  cannot  distinguish  the  time  domain  R**^  from 
the  time  domadn  Q^.  This  equivalence  of  real  and  rational  models  foUowt 
from  the  following  two  lemmas. 

Lemma  2.2  (Rational  models)  Lei  ^  be  an  MlTL^formtda  and  p  a  ra¬ 
tional  ^-fine  timed  state  sequence.  Then  p  Q-satisfies  ^  tj^p  ^ 


Proof  of  Lemma  2.2  We  use  induction  on  the  structure  of  Let  us 
consider  only  the  interesting  case,  that  ^  has  the  form 

Suppose  that  p  =  (<r,T)  is  rational,  ^fine,  and  Q-satisfies  0;  that  is,  p* 
Q-satisfies  <t>2  for  come  rational  1  €  /,  and  p*'  Q-satisfies  for  all  rationals 
0  <  f'  <  t.  By  the  induction  hypothesis,  we  may  conclude  that  p‘  N  ^  wid 
p*'  [=  for  all  rationals  0  t'  <  t.  Since  t  €  R"*",  it  remains  to  be  shown 
that  p‘”  ^  for  all  reals  0  <  t"  <  t.  Consider  an  arbitrary  real  0  <  t"  <  t, 
and  assume  that  t"  €  Since  p  is  rational,  there  is  also  a  rational  t'  €  /< 
with  0  <  t'  <  t.  Wc  know  that  p*'  and,  since  p  is  ^fine,  it  follows  that 

The  second  direction,  that  every  rational  ^fine  model  of  ^  Q-satisfies 
follows  by  a  similar  argument.  ■ 

For  any  MITL-formula  let  be  the  least  common  denominator  of  all 
(rational)  interval  end-points  in  that  is,  all  constants  in  ^  are  multiples 
ofl/n^. 

Lemma  2.3  (Model  equivalence)  Let  p  =  (<r,r)  and  p'  =  (<r,T')  be  two 
timed  state  sequences,  and  ^  be  a  formula  of  MITL- .  Suppose  that  for  alt 
t  €  R"*",  ift  =  ti  +  mln^  for  some  left  end-point  t,-  of  an  inte^al  in  r  and 
some  nonnegative  integer  m  €  N,  then  t  £  tj  iff  t  £  Ij.  Then  p  iff 

Proof  of  Lemma  2.3  We  write  p  ~  p'  iff  the  two  timed  state  sequences 
p  and  p'  satisfy  the  premise  of  the  lemma.  First  observe  that,  if  p  p'  for 
p  =  (ff.T)  and  p'  =  (c.r^)  and  t  €  /«,  then  we  can  find  /(t)  €  I-  such  that 
p*  *>•  Furthermore,  /(f)  <  /(t')  iff  f  <  f'. 

Using  this  observation,  the  lemma  follows  by  straightforward  induction 
on  the  structure  of  ■ 

Lemma  2.3  classifies  timed  state  sequences  into  equivalence  classes  such 
that  the  members  of  a  class  cannot  be  distinguished  by  formulas  of  MITL- . 
It  implies,  in  particular,  the  following  theorem: 

Theorem  2.2  (Rational  time)  A  formula  ^  of  MITL-  is  Q-satisfiable 
iff  it  is  satisfiable. 

Proof  of  Theorem  2.2  Suppose  that  ^  it  Q-satisfiable  in  the  rational 
model  p.  By  Lemma  2.1,  there  it  a  rational  ^fine  refinement  of  p  that 
Q-satisfies  By  Lemma  2.2,  this  refinement  it  a  (real)  model  of 

The  proof  of  the  second  direction  uses  Lemma  2.3.  Consider  a  (real) 
model  p  of  The  lemma  allows  us  to  adjust  the  interval  boundaries  in  p 


as  long  as  (1)  no  interval  is  adjusted  across  multiples  of  1/n^,  And  (2)  the 
ordering  of  the  fractional  parts  (modulo  1/n^)  of  all  interval  boundaries  is 
not  altered.  The  denseness  of  allows  us  to  adjust  all  boundaries  to  be 
rational  numbers.  The  resulting  rational  timed  state  sequence  it  a  (real) 
model  of  ^  and,  by  Lemma  2.1  and  Lemma  2.2,  its  ^refinement  Q-satisfies 
<f>.  m 


2.7  Expressive  power  of  MITL 

We  define  the  semantics  of  a  system  as  a  set  of  timed  state  sequences;  such 
a  set  is  called  a  reoZ-lime  property.  Every  formula  ^  of  a  real-time  logic 
(say,  MITL)  specifies  a  real-time  property  —  the  set  of  models  of  <fe.  The 
expressive  power  of  a  logic  is  measured  by  the  real-time  properties  that  can 
be  specified  by  formulas  of  the  logic. 

We  compare  the  expressive  power  of  MITL  to  the  use  of  a  digital  clock 
and  MTL,  which  admits  singular  intervals  as  time  bounds  on  t^poral  oper¬ 
ators.  More  precisely,  we  show  that  the  analog- clock  model  without  equal¬ 
ity  (MITL)  is  more  expressive  than  any  digital-clock  model  with  equality 
(MTL). 

First  let  us  review  the  definition  of  the  logic  MTL  [AH90].  The  syntax  of 
MTL  is  the  same  as  that  of  MITL-.  The  formulas  of  MTL  arc  interpreted 
over  observation  sequences.  An  observation  sequence  p  is  an  infinite  sequence 

(ao,To)  (ai,Ti)  -4  -♦  (^Sirs)  ••• 

of  observations.  Each  observation  consists  of  a  state  Si  £  2^  and  a  time 
stamp  r*  €  N.  The  observation  sequence  g  satisfies  the  initiality  condition 
that  To  =  0,  the  monotonicity  condition  that  T;  <  Ti,^i  for  all  t  >  0,  and  the 
progress  condition  that,  for  all  n  €  N,  there  is  some  i  >  0  such  that  Ti  >  n. 

For  an  observation  sequence  g  and  an  MTL-formula  the  satisfaction 
relation  p  ^  is  defined  as  usual  by  induction  on  the  structure  of  The 
following  clause  considers  the  case  of  the  (strict)  until  operator: 

p  |==  ^  ^  iff  p*  1=  ^  for  some  «  >  0  with  Ti  €  h  “d  ^  |=  ^ 

for  all  0  <  y  <  t. 

(For  an  observation  sequence  g  and  i  €  N,  the  observation  sequence  g^  is  the 
suffix  of  the  shifted  sequence  g-Ti  that  begins  with  the  observation  (si,  0).) 
We  consider  only  the  fragment  of  MTL  without  the  next-state  operator;  this 
restriction  makes  MTL-formulas  insensitive  to  stuttering. 
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We  need  to  formalize  wh^ch  real-time  properties  can  be  specified  in  MIL. 
To  this  end,  let  us  consider  how  to  extract  an  observ-ation  sequence  from  a 
timed  state  sequence  p  that  describes  the  actual  behavior  of  a  real-time  sys¬ 
tem.  Obser^ntions  arc  made  with  respect  to  a  digital  clock;  the  observation 
at  time  t  records  the  state  />*(<)  and  the  value  of  the  clock  at  time  t.  Clearly 
the  obser\^tions  depend  on  how  fast  the  clock  ticks,  and  at  what  time  the 
clock  is  started. 

Consequently,  we  define  a  digital  clock  D  =  (i,  e)  to  be  a  pair  consisting 
of  the  distance  between  two  successive  clock  ticks  and  the  time 

f  €  of  the  first  clock  tick;  that  is,  0  <  c  <  «.  At  time  i  €  R^  the  clock  D 
shows  the  integer  value  Id  =  [(<  “  The  clock  D  is  called  rational  iff 

both  6  and  e  are  rational  numbers. 

The  I? -observation  of  the  timed  state  sequence  p  at  time  t  is  Oe  = 
As  time  increases,  the  ^-observation  slays  the  same  until  either 
the  dock  ticks  or  the  state  changes  along  p.  All  possible  H-obscrvations 
along  p  can  be  described  by  an  w-sequence:  the  J3-obscrved  behavior  of  p  is 
the  observation  sequence 

pD  -  Oto  —  Oil  Ot,  , 

such  that  for  all  I  >  0,  (1)  U  <  ft+ij  and  (2)  for  all  t  €  {tiiU^i)t  0% 
equals  either  Ot-  or  Ot,^,.  These  properties  define  pD  uniquely  modulo 
stuttering  (i.e.,  duplication  of  neighboring  observations).  Furthermore,  the 
state  component  of  pjy  is  the  state  component  ol  p  (modulo  stuttering)  with, 
if  p  is  finite,  infinite  repetition  of  the  final  state. 

For  instance,  consider  the  timed  state  sequence  pi 

(«o,  [0. 1))  -» 1])  -  (-J,  (1, 1.5])  -  («3,  (1.5, 00)). 

Then  the  digital  clock  (1,0.5)  observes  the  observation  sequence  />(i,o.s). 

(<o,0)  -*  (so,l)  -♦  («i,l)  -►  («j,l)  “♦ 

(sj,2)  -»  (s3,3)  -»  (<s,4)  -♦  ••• 

For  every  digital  clock  Dy  every  formula  ^  of  MTL  spedfies  a  real-time 
property  —  the  set  of  timed  state  sequences  p  such  that  pD  N  We 
say  that  the  MTL-fotmula  ^  D-spedfies  the  real-time  property  nj . 

Now  we  can  he  speciHc  about  the  sense  in  which  the  analog-clock  model 
is,  even  without  equality,  more  expressive  than  the  digital-dock  model,  for 
any  choice  of  digital  dock. 
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Theorem  2.3  (Expressiveness  of  MITL)  (a)  Every  red-iime  property 
that  can  be  D-speeijied  by  an  MTL-formula  for  some  raiiond  digitd  clock 
D,  can  dso  be  specified  in  MITL.  (6)  There  is  a  red^time  property  that 
can  be  specified  in  MITL  but  not  D-specified  by  any  MTL^formda  for  any 
digitd  clock  D, 

Proof  of  Theorem  2.3  (a)  Given  a  rational  clock  D  =  {S^t)  and  a  for¬ 
mula  ^  of  MTL,  we  construct  an  MITL-formula  that  specifies  the  real-time 
property  11^.  We  assume  that  (f>  contains  only  intervals  of  the  form  [0,0], 
[1,1],  [m,n]  for  2  <  m  <  n,  and  [m,oo)  for  m  >  2.  It  is  trivial  to  convert 
any  MTL-formula  into  this  form;  for  instance,  the  MTL-formula  0<5  ^  is 
cqtiivalent  to  the  formula  O-o  V  0=1  ^  V  0[2  4] 

We  model  the  ticks  of  the  digital  clock  D  by  a  new  proposition  r  that 
holds  only  in  transient  states: 

A  0<cr  A  D^o{r  -♦  (“•»*) W=ir). 

Let  be  the  MITL-formula  that  results  from  by  replacing  every  occur¬ 
rence  of  a  subformula  Uj  V’s  with 

A  (^1  A  “*r)W>oV^2 

if  /  is  [0,0];  with 

(r  A  (^1  A  -^r)W>oV^)  V  rpiU^o,s){^  A  A 
if  /  is  [1,1];  with 

if  7  is  bounded  and  /(/)  >  1;  and  with 

A  A  ifiUxpt) 

if  7  is  unbounded  and  /(7)  >  1.  It  is  not  hard  to  show  that  pp  |=  ^  iff 
p  1=  A  for  every  timed  state  sequence  p. 

For  example,  consider  the  MTL-formula 

O>o(p  “♦  0=1  g), 

and  the  digital  clock  D  ==  (1,0).  This  formula  P-speciiies  the  property  that 
^or  every  instate  there  is  a  9-state  separated  from  p  by  exactly  five  integer 
times  ”  and  is  equivalent  to  the  MITL-formula 

^(1,0)  A  D^oCp  -♦  ^14,5)  (»*  A  0(0.1)  g)). 
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(6)  Erom  the  tableau  decision  procedure  for  MTL  [AH90],  it  follows  that 
if  a  formula  4*  of  MTL  is  satisfiable,  then  it  has  a  model  po  such  that  any 
two  state  changes  in  p  are  separated  by  at  least  some  minimum  time  gap 
(which  depends  on  D  and  the  size  of  ^).  In  fact,  for  any  digital  clock  D  one 
can  always  construct  timed  state  sequences  in  11^  that  become  periodic  after 
some  point  in  time.  We  show  that  this  is  not  the  case  for  MITL  (although, 
as  wc  shall  see  later,  it  is  the  case  that  any  satisfiable  MITL-formula  has  a 
model  in  which  in  any  fixed  interval  of  time  there  is  only  a  boimded  number 
of  state  changes). 

Let  us  construct  a  satisfiable  MITL-formula  <f>  with  the  property  that 
every  model  p  =  (<r,r)  of  ^  contains  arbitrarily  close  state  changes;  that  it, 
for  every  real  i  >  0,  there  is  some  s  >  1  such  that  Si^\  ^  Si  and  a,  ^  Si+i 
and  ti^i  -  ft  <  The  set  of  models  of  ^  can  clearly  not  be  specified  in 
MTL,  for  any  choice  of  digital  clock  D. 

The  formula  <t>  uses  three  propositions  p,  q,  and  r.  First,  it  requires  at 
most  one  of  these  three  propositions  to  be  true  at  any  state.  In  addition,  it 
has  the  following  three  conjtmcts.  The  first  condition, 

r  A  D>o(r  (“'t*)W2Ejr), 

places  transient  r-states  at  precisely  the  even  mtegers.  The  second  condition, 

°>o((pV7)  -♦  0<ir), 

ensures  that  p  and  q  can  only  hold  in  the  second  half  of  the  intervals  of 
length  2  separating  consecutive  restates.  The  third  condition, 

0<jP  a  □>o(p  0<iff)  A  0>o(^  <>(2,3)P)> 

implies  that  there  is  a  p-state,  and  later  a  ^-state,  between  every  pair  of 
consecutive  r-states,  and  thus  between  every  odd  integer  and  the  subsequent 
even  integer. 

Moreover,  from  any  model  of  ^  we  can  extract  an  infinite  sequence  of 
alternating  p  and  q  states,  with  the  ^-state  following  a  p-state  guaranteed  by 
the  condition  p  0<i  g,  and  the  p-state  following  a  g-state  by  the  condition 
q  -4  0(2^)  P*  The  times  that  are  associated  with  the  states  in  this  sequence, 
taken  modulo  2,  form  a  strictly  increasing  infinite  sequence  of  reals  contained 
in  the  interval  (1, 2).  Since  this  time  sequence  is  bounded  above,  there  must 
be  arbitrarily  dose  pairs  of  a  p-state  followed  by  a  g-state.  It  follows  that  ^ 
has  no  eventually  periodic  models. 


On  the  other  hand,  the  MITL-fonnula  4> »»  satisfiable;  a  model  for  can 
be  readily  constructed  by  introducing,  in  addition  to  the  transient  r-states  at 
all  even  integers,  transient  p-states  at  time  2n  —  2/4",  and  transient  9>states 
at  time  2n  -  1/4",  for  each  integer  n  >  1.  B 

3  Timed  Automata 

We  use  a  variant  of  timed  automata  defined  in  [AD90]  to  model  finite* state 
real*time  systems.  This  formalism  is  a  generalization  of  (nondetenninistic) 
finite-state  machines  over  infinite  strings.  While  w-automata  generate  (or 
accept)  infinite  sequences  of  states  [Tho90],  timed  automata  are  additionally 
constrained  by  timing  requirements  and  produce  timed  state  sequei’ces. 

A  timed  automaton  operates  with  finite  control  —  a  finite  set  of  states 
and  a  finite  set  of  real- valued  clocks.  All  clocks  proceed  at  the  same  rate 
and  measure  the  amotmt  of  time  that  has  elapsed  since  they  were  started 
(or  reset).  Each  transition  of  the  automaton  may  reset  some  of  the  clocks; 
each  state  of  the  automaton  puts  certain  constraints  on  the  values  of  the 
atomic  propositions  as  well  as  on  the  values  of  the  clocks:  the  control  of 
the  automaton  can  reside  in  a  particular  state  only  if  the  values  of  the 
propositions  and  clocks  satisfy  the  corresponding  constraints. 

We  permit  only  simple  constraints  on  the  clock  values.  A  clock  constraint 
I  C  R*^  is  a  finite  union  of  (possibly  unbounded)  intervals  with  rational  end* 
points;  the  vdue  7(x)  G  of  a  clock  z  satisfies  the  constraint  I  iff7(c)  G  I. 
We  usually  denote  the  clock  constraints  for  a  clock  x  as  boolean  combination 
of  arithmetic  expressions  containing  x;  for  instance, 

l<x<3Vx=:4Vx>5 

stands  for  the  clock  constraint  [1,3)  U  [4,4]  U  (5,  oo)  that  restricts  the  value 
of  X.  Let  Tl  be  the  set  of  clock  constraints. 

Formally,  a  timed  automaton  is  a  six-t  iple  M  ^  (5,  C,  /i,  v,  So^  E)y  where 

5  is  a  finite  set  of  states, 

C  is  a  finite  set  of  clocks, 

fi:  S  ^2^  assigns  to  each  state  and  proposition  a  truth  value, 
u:  S  TL^  assigns  to  each  state  and  clock  a  clock  constraint, 

5o  C  5  is  a  set  of  initial  states, 

E  C  5^  X  2^  is  a  set  of  transitions.  Each  transition  (j,s^A) 
identifies  a  source  state  s,  a  target  state  s\  and  a  set  A  C  C 
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of  clocks  to  be  reset;  we  usually  denote  this  transition  by 
A  t 

The  runs  of  a  timed  automaton  define  timed  state  sequences.  At  any 
time  instant  during  a  nm,  the  configuration  of  the  automaton  is  completely 
determined  by  the  state  in  which  the  control  resides  and  the  values  of  all 
clocks.  The  values  of  all  clocks  are  given  by  a  clock  interpretation  7,  which 
is  a  map  from  C  to  R"**:  for  any  clock  «  €  C,  the  value  of  x  under  the 
interpretation  7  is  y{z)  €  R*^. 

Assume  that,  at  time  t  €  R***,  a  timed  automaton  is  in  state  s  and 
the  clock  values  are  given  by  the  clock  interpretation  7.  Suppose  that  the 
state  of  the  automaton  remains  unchanged  during  the  time  interval  I  with 
/(/)  =  t.  All  clocks  proceed  at  the  same  rate  as  time  elapses;  at  any  time 
t*  £  I  the  value  of  any  clock  z  is  7(*)  + 1'  —  f .  Dtxring  all  tWs  time  the  value 
of  z  satisfies  the  clock  constraint  that  is  associated  with  $  and  *: 

Now  suppose  that  the  automaton  changes  its  state  at  time  r{I)  =  t"  via 
the  transition  This  state  change  happens  in  one  of  two  ways.  If  7  is 

right-closed,  then  the  state  at  time  is  still  s  and 

(7(*)  +  t"-t)€i/(«,i) 

for  all  clocks  x;  otherwise  the  state  at  time  t”  is  »’  and  0  €  s'(s*)  ®)  for  all 
clocks  X  G  A,  which  are  reset,  and 

(7(*)  +  t"-t)€ 

for  all  other  clocks. 

Let  us  formalize  this  intuition.  Suppose  we  are  given  a  timed  automaton 
M  =  (5,  C,  fi,  S',  5o,  E);  a  run  of  is  a  finite  or  infinite  sequence 

r:  (ao./o)  ^  M)  ^  M)  • 

TO  Tl  73  TJ 

of  states  $i  €  5,  intervals  /<,  clock  sets  A,-  C  C,  and  clock  interpretations 
"ji’C  -*  R"*"  such  that 

•  So  €  5oi 

•  €  £?  for  all  i  >  0, 

•  hlili ...  is  an  interval  sequence, 

•  for  all  *  6  C  and  i  >  0,  we  have  7»+i(*)  =  0  if  *  €  Aj+i,  and 

7i+i(*)  =  7i(*)  +  ’•(A)  -  l{Ii)  otherwise. 

•  (l»(*)  +  *  ~  ^(^»))  €  K**)  *)  for  all  z  e  C,  I  >  0,  and  t  €  /<. 
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Figure  1:  Timed  automaton 


Note  that,  according  to  this  definition,  the  clocks  may  start  at  any  real 
values  that  satisfy  the  clock  constraints  of  an  initial  state. 

The  run  r  uniquely  determines  the  timed  state  sequence 

Pr'  (M«o).Jo)  -♦  -♦  (p(32),/2)  -*  ••• 

By  Il{M)  we  denote  the  set  of  all  timed  state  sequences  pr  that  correspond 
to  runs  of  the  timed  automaton  M.  We  say  that  M  generates  (or  accepts) 
the  timed  state  sequences  in  Tl{M). 

We  will  use  timed  automata  to  model  real-time  systems.  A  real-time 
system  is  represented  by  the  timed  automaton  M  iff  its  possible  behaviors 
are  exactly  the  timed  state  sequences  in  Il{M).  Accordingly,  the  system 
modeled  by  M  satisfies  its  MITL-specification  denoted  by  Ad  iff 
Pr  N  ^  for  all  runs  r  of  Ad. 

We  point  out  that  a  run  may  contain  transient  states.  Such  states  allow 
us  to  model  instantaneous  conditions  during  the  execution  of  a  real-time 
system,  like  the  occurrence  of  events.  Their  times  can  be  enforced  accurately 
by  using  singular  intervals  as  clock  constrsdnts. 

Consider,  for  example,  the  timed  automaton  Ad  in  Figure  1.  The  au¬ 
tomaton  M  has  six  states,  sq  to  S5,  and  uses  two  clocks,  x  and  y.  The  label 
X  0  on  a  transition  indicates  that  the  clock  x  is  reset  by  that  transition. 

The  automaton  starts  in  the  initial  state  sq  with  the  clock  y  initialised  to 
0.  At  time  40  the  automaton  moves  to  state  3$,  and  simply  loops  there.  The 
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proposition  p  denotes  an  external  event  which  is  true  only  at  instantaneous 
points  t  <  40  in  time  (and  no  more  than  once  every  5  time  units),  namely, 
whenever  A4  is  in  state  sj.  The  automaton  responds  to  p  by  resetting  the 
clock  z,  and  then  it  requires  that  the  proposition  q  holds  over  the  interval 
t  +  [2,5).  Thus  the  automaton  M  models  a  system  which  responds,  until 
time  40,  to  the  event  p  by  setting  g  to  true  for  the  interval  [2,5)  foUowing 
p.  A  possible  timed  state  sequence  generated  by  M  is 

(0.[O.13))  -  ({p},[13,13])  -  (0.(13,15))  - 
({3},  [15, 20))  ^  (0,[2O,4O))  -  ({9},[40,oo)). 

The  emptiness  problem  for  timed  automata  is  solved  in  [AD90]:  the 
problem  of  whether  a  timed  automaton  has  any  run  is  PSPACE-complete. 
Our  definition  of  timed  automata  is  somewhat  more  general  than  the  one  in 
[AD90];  it  can  also  enforce  transient  states.  But  the  decision  procedure  for 
checking  emptiness  can  be  easily  adapted  to  prove  the  following  result: 

Theorem  3.1  (Emptiness  of  timed  automata)  The  problem  of  decid¬ 
ing  if  n(A4)  =  0  for  a  timed  automaton  M  =  (S,  So,  E)  is  PSPACE- 

complete.  Moreover,  there  is  an  algorithm  that  decides  this  problem  in  time 
0((|5|+|E|)-2H). 

To  enforce  fairness  constraints  on  the  legal  behaviors  of  a  real-time  sys¬ 
tem,  we  add  standard  liveness  conditions  to  timed  automata,  such  as  Buchi 
sxceptance  criteria  or  Muller  acceptance  criteria  for  u>-automata  (see  [AD90] 
for  details).  Theorem  3.1  carries  over  to  either  case. 

4  Deciding  MITL 

We  solve  the  satisfiability  problem  for  MITL  by  reducing  it  to  the  emptiness 
problem  foi  timed  automata.  Our  main  result  is  that,  given  an  MITL- 
formula  we  can  construct  a  timed  automaton  such  that  the  nms 
of  that  meet  certain  fairness  requirements  correspond  precisely  to  the 
timed  state  sequences  that  satisfy 

4.1  Restricting  the  problem 

To  simplify  the  exposition  of  the  decision  procedure,  we  restrict  the  satis¬ 
fiability  question  for  MITL  to  formulas  and  models  of  a  specific  form  and 
show  that  this  can  be  done  without  loss  of  generality. 
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Given  an  MITL-formula  a  timed  state  sequence  p,  and  a  constant 
a  G  Q,  let  a(j>  and  ap  be  the  MITL-formula  and  the  timed  state  sequence 
that  result  from  <f>  and  p,  respectively,  by  replacing  each  interval  I  by  the 
interval  aJ.  Clearly,  p  ^  iif  ap  [=  a<l>.  Thus,  for  the  purpose  of  checking 
the  satisfiability  of  we  may  assume  that  all  interval  end-points  in  (f>  are 
integers;  for  if  they  are  not,  then  consider  for  the  least  common  denom¬ 
inator  of  all  (rational)  interval  end-points  in  This  translation  causes 
at  most  a  quadratic  blow-up  in  the  size  of  the  formula. 

Next  we  give  a  series  of  transformations  that  allow  us  to  rewrite  any  for¬ 
mula  (p  into  an  equivalent  formula  0*  that  contains  only  temporal  operators 
of  very  specific  forms. 

First,  we  require  that  no  interval  in  (f>  contains  0.  This  can  be  achieved 
by  applying  the  foDowing  equivalence: 

ipiUix/>3  ^  {ti>2  V  ^lW/n{0,oo)V’2) 


provided  that  0  €  /. 

Secondly,  we  require  that  the  only  imbounded  intervals  in  ^  are  of  the 
form  (0,oo).  This  can  be  achieved  by  applying  the  following  two  equiva¬ 
lences: 

^lW(„,oo)V'2  °(0,n](V’l  A  V’lWV'2) 

V-l  W[„,oo)  V’2  ^  D(0,n)V’l  A  □(o,n)(^2  V  (^>1  A 
provided  that  n  >  0. 

Thirdly,  we  require  that  only  the  eventually  and  the  always  operators 
are  constrained  with  bounded  intervals  I  such  that  /(/)  =  0.  This  can  be 
achieved  by  applying  the  following  eqiiivalence: 


provided  that  /(/)  =  0. 

Finally,  we  push  all  negations  in  ^  to  the  inside  and  use  the  following 
equivalence  to  eliminate  each  subformula  of  the  form  U  ^2: 

V'l  UV’2  a  V*!  V  A  ^2). 

The  resulting  formula  is  equivalent  to  (p  and  consists  of  atomic  propo¬ 
sitions,  negated  atomic  propositions,  conjunctions,  disjunctions,  and  tempo¬ 
ral  subformulas  ip  of  the  following  six  types: 
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1.  ip\Uj  ^2  with  bounded  1  and  /(/)  >  0. 

2.  ipi  /U  xl'2  with  bounded  1  and  /(/)  >  0. 

3.  O/  xp*  with  I  ==  (0,  n)  or  7  =  (0,  n]. 

4.  Ojrp*  with  i  =  (0,n)  or  7  =  (0,n]. 

5.  xpiUxp2^ 

6.  Oil)*. 

Although  these  rewritings  blow  up  the  size  of  the  formula  we  can 
bound  the  size  of  the  constants  in  and  the  number  of  subformulas  in 
as  follows: 

•  Let  if  G  N  be  such  that  if  -  1  is  the  largest  (integer)  constant  ap¬ 
pearing  as  an  interval  end-point  in  <l>.  Then  the  largest  constant  that 
occurs  as  an  end-point  of  an  interval  in  is  if  -- 1. 

•  Let  JV'  6  N  be  the  number  of  atomic  propositions,  boolean  connec¬ 
tives,  and  temporal  operators  in  (p.  Then  the  number  of  syntactic 
subformulas  of  is  0{N). 

Thus  we  restrict  ourselves  to  test  the  satisfiability  of  MITL-formulas  each 
of  whose  temporal  subformulas  are,  according  to  the  above  classification,  of 
one  of  six  types,  iype-1  to  type-d, 

Moreovei ,  to  check  the  satisfiability  of  an  MITL-formula  by  Lemma  2.1 
we  can  coniine  ourselves  to  the  question  if  (f>  has  a  ^fine  model.  There¬ 
fore  we  consider,  throughout  this  section,  only  ^fine  timed  state  sequences 
p  =  ((r,r).  It  follows  that,  if  is  a  subfonnula  of  we  may  write  xp 
for  1=  for  all  t  €  7i.”  In  addition,  we  assume  that  all  intervals  in  r 
are  either  singular  or  open.  This  is  sufficient,  because  any  model  of  (p  can 
be  brought  into  this  form  by  splitting  all  nonsingular  (half)closed  intervals; 
for  instance,  the  interval  [a,  6)  can  be  split  into  the  two  intervals  [a,  a]  and 
(a,  6). 

Let  us  introduce  a  new  atomic  proposition  p,inf  such  that  p*  p,int  iS 
the  t-th  interval  li  of  p=  (o',t)  is  singular.  Hence  the  proposition  p.in«  holds 
exactly  in  every  other  interval.  For  a  timed  state  sequence  p  that  satisfies 
these  conditions  and  t  6  let  t  be  such  that  t  6  1%-  Then: 
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^  iff  /  f=  V  and  both  f=  i02  and 

p-’  1=  V  for  some  j  with  Ij  fl  (f  +  /)  ^  0,  and  p^  ^  ipi 
for  all :  <  Ar  <  j. 

p^  ^  jU  7p2  iff  P*  (=  ^1  if  It  n  (t  +  7)  0,  and  either 

p*  ^  rp2  A  '•^Pting,  or  ^  f=:  ^2  foi*  some  j  >  t  and  p^  h 
for  all  i  <  Jfc  <  y  with  7*.  D  (f  +  7)  0,  or  /?*  f=  V'l  for  all  A:  >  i 

with  7fc  n  (t  +  7)  ^  0. 

The  different  types  of  temporal  subfonnulas  of  ^  are  handled  differently 
by  our  algorithm.  The  simplest  case  is  that  of  type-5  and  t3rpe-6  formulas; 
they  are  treated  essentially  in  the  same  way  in  which  tableau  decision  pro¬ 
cedures  for  linear  temporal  logic  handle  unconstrained  temporal  operators. 
The  most  interesting  case  is  that  of  type-1  and  type-2  formulas.  We  con¬ 
centrate  first  on  this  case.  The  case  of  type-3  and  type-4  formulas  will  be 
considered  later. 

4.2  Outline  of  the  algorithm 
Consider  the  MITL-formula 

°[o,i)(7  ^[1,2]  ?)• 

Let  us  assume  that  both  p  and  q  are  true  only  in  singular  intervals  and  let 
us  try  to  build  a  timed  automaton  that  accepts  precisely  the  models  of  this 
formula. 

Whenever  the  automaton  visits  a  p-state,  it  needs  to  make  sure  that 
within  1  to  2  time  units  a  state  is  visited.  This  can  be  done  by  setting  a 
clock  £  to  0  when  the  p-state  is  visited,  and  demanding  that  some  g-state 
with  the  clock  constraint  1  <  x  <  2  is  visited  later.  This  strategy  requires  a 
clock  per  visit  to  a  p-state  within  the  interval  [0, 1'  however,  the  number 
of  such  visits  is  potentially  unbounded  and,  hence,  jr  automaton  with  a 
fixed  number  of  clocks  cannot  reset  a  new  clock  for  every  visit.  That  is  why 
this  simple  strategy  cannot  be  made  to  work. 

An  alternative  approach  is  to  guess  the  times  for  future  states  in  ad¬ 
vance.  The  automaton  nondeterministically  guesses  two  time  values  fi  and 
i2  within  the  interval  [0, 1);  this  is  done  by  resetting  a  clock  x  at  time  ti 
and  another  clock  y  at  time  <2*  The  guess  is  that  the  last  g-state  within  the 
intennl  [1,2)  is  at  time  ti  +  1,  and  that  the  first  g-state  within  the  interval 
[2,3)  is  at  time  t:  +  2.  If  the  guesses  are  correct,  then  the  formula  0[i^2]g 
holds  during  the  intervals  [0,ti]  and  [^2,1),  and  does  not  hold  during  the 


inten^al  (ti.fj).  Consequently,  the  automr.ton  requires  that  every  p-state 
within  the  interval  [0,1)  lies  either  wit!  ['-,<1]  or  within 
needs  to  make  sure  that  the  guesses  are  righj ,  that  is,  whenever  either  x  =  1 
or  y  =  2,  the  automaton  must  be  in  a  g-state.  This  strategy  requires  only 
two  clocks  for  the  interv^  [0, 1)  of  length  1,  irrespective  of  the  number  of 
j>states  within  [0,1). 

We  say  that  the  guessed  times  +  1  and  (2  +  2  witness  the  formula 
^[1.2]  9  throughout  the  intervals  [0,ti]  and  [t2)l)>  respectively.  In  general, 
the  witnesses  need  not  be  *:mgular  intfrv^s,  they  can  be  open  intervals.  In 
the  following  we  develop  au  algorithm  bao^d  on  this  idea  of  guessing,  in 
advance,  time  intervals  that  witness  temporal  formulas  and,  later,  checking 
the  correctness  of  these  guesses.  The  crucial  fact  that  makes  this  strategy 
work,  with  a  finite  number  of  clocks,  is  that  the  same  interval  may  serve  as 
a  witness  for  many  points  in  time. 

4.3  Witnessing  inter\"als 

The  interval  J'  is  called  a  witnessing  interval  for  the  MITL-formula  Uj  ^2 
under  for  a  timed  state  sequence  p  and  t  £  R"*",  iff  H  (t  +  /)  ^  0  and 
p*  1=  tl)i  Uj^t  ^2  for  every  nonempty  interval  J  C  Observe  that  if  /' 
witnesses  rpi  Uj  rp2  under  then  p*'  |=  for  all  t  <  <  r(/')  and  p*  ^  t/'j 

for  all  t'  €  The  interval  J'  is  a  witnessing  interval  for  the  MITL-formula 
rpi  /U  xp2  under  p*  iff  t  +  /  C  /'  and  p*  |=  rpi  /»-tU  rp2* 

Witnessing  intervals  are  defined  such  that  the  following  property  holds: 

Lemma  4.1  (Witnessing  intervals)  Let  xl^  be  an  MITL-formula  of  the 
form  xJ;iUixp2  or  xpi  jU  xp2t  let  p  he  a  timed  state  sequence  and  t  £  , 

There  is  a  witnessing  interval  for  rj;  under  p*  iffp^  |= 

Proof  of  Lemma  4.1  If  p*  ^  for  the  formula  W/ then  p^*  |=  ^^^2 

for  some  t'  €  t  +  /  and  the  singular  interval  witnesses  xp  under  p*.  If 
p*  1=  ^  for  the  formula  xp  =  xpij[}xp2y  then  the  interval  t  -h  /  witnesses  xp 
under  p*. 

The  other  direction  of  the  lemma  follows  from  the  semantic  clauses  for 
the  until  and  unless  operators.  ■ 

Now  we  show  that  the  same  interval  may  serve  as  a  witnessing  interval 
for  a  temporal  formula  under  (infinitely)  many  suffixes  of  a  timed  state 
sequence. 


Consider,  for  example,  the  timed  state  sequence  p  over  two  propositions 
P  9' 


({p}, [0,1.2])  ({p,j},(1.2,1.6))  -  ({p}. [1.6, 00)). 

Thus  along  p  the  proposition  p  is  always  true,  but  the  proposition  q  is  true 
only  during  the  mter\^  =  (1*2,  L6).  The  inter^-al  Ig  witnesses  the  formula 
under  p^  for  every  t  €  [0,0.6),  On  the  other  hand,  the  interval 
[1.6,3]  witnesses  the  fonntila  0(1,2)  ("'?)  under  p^  for  every  t  €  [0.6,1], 

Lemma  4.2  (Sharing  type-1  witnesses)  be  the  type-I  MITL-/of- 
mda  For  every  timed  state  sequence  p,  there  are  two  bounded 

intervals  Ii  and  /;  such  that,  for  every  t  €  [0, 1),  the  formula  tp  is  satisfied 
by  p*  iff  either  Ii  or  I2  witnesses  ip  under  p*.  Furthermore,  Ii  is  either 
singular  or  open,  and  r{Ii)  <  r{I)  -f  1  for  i  =  1,2. 

Proof  of  Lemma  4.2  Let  p  =  {cr,  r)  be  a  ^-fine  timed  state  sequence  with 
only  singular  and  open  intervals,  including  the  singular  interval  [r(/)  -f  1, 
r(/)  +  1]  (split  intervals  if  necessary).  We  choose  two  witnessing  intcr^vals  /i 
and  I2  as  foUows: 

•  Let  I  be  the  maximal  i  >  0  such  that  Pi  /  ^  0,  both  p*  ip2  and 
p'  ^  ipiW  Ptinfy  and  p^  \=:  xpi  for  bH  0  <  k  <  i  with  fl  /  5^  0.  If  no 
such  t  exists,  let  Ii  =  0;  otherwise,  let  /i  = 

•  Let }  be  the  minima/  j  >  0  such  that  +1)^0,  both  p^  \=^  1P2  and 
pJ  1=  ipi\/ptin9:  and  p^  for  all  0  <  i  <  y  with  /fcn(/U/  + 1)  ^  0, 
If  no  such  j  exists,  let  I2  =  0;  otherwise,  let  I2  =  ly 

Assume  that  0  <  t  <  1;  then  p*  satisfies  iff  p*'  for  all  t  <  t'  <  / 
and  either  /|  H  (/  -f  /)  ^  0  or  H  (t  +  /)  5^  0.  The  first  case  is  equivalent 
to  /i  witnessing  ip  under  p^  the  second  case  is  equivalent  to  I2  witnessing 
Ip  under  p^  ■ 

In  the  case  of  type-2  formulas,  a  single  witness  per  unit  interval  suffices 
to  reduce  the  problem  to  type  3: 

Lemma  4.3  (Sharing  type-2  witnesses)  Let  ip  be  the  type-S  MITL-/or- 
mula  ipi /U  ^2  •  For  every  timed  state  sequence  p,  there  is  a  bounded  interval 
V  such  that,  for  every  t  €  [0, 1),  the  formula  xp  is  satisfied  by  p*  iff  either 
p*  satisfies  the  type-S  formula  C>(o,oo)n(</)^2  or  V  witnesses  ip  under  p*. 
Furthermore,  r(/')  <  r\l)  +  1. 
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Proof  of  Lemma  4.3  Let  p  -  be  a  \i--fine  timed  itate  sequence 

with  only  singular  and  open  inter%'al$,  including  the  singular  inter>Td  /„  = 
[r(/)4 1,  r(/)  + 1]  (split  intcrrals  if  necessary).  We  choose  witnessing  interval 
r  as  follows; 

•  Let  i  be  the  minimal  i  >  0  such  that  Ji  D I  ^  9  and  either 

1.  p*  [=  ^>1  for  all  ib  >  t  with  /*  n  /  ^  0,  or 

2.  there  is  some  i  <  j  <  n  such  that  p^  ^  and  p*  )=  V’l  for 

aU  i  <  i  <  jr'. 

•  Given  »,  let  ;  be  the  maximal  t<  j  <  n  such  that  either  p^  )=  rj>i  for 
all  i  <  i:  <  ji, or  p*  1=  V*! V’J  for  some i<  k  <  j.  Note  that  if  i exists, 
then  so  does  };  in  particular,  if  i  exists  because  of  clause  2,  then  }  =  n. 

If  no  appropriate  i  exists,  let  I'  —  0;  otherwise,  let  V  be  the  union  of  all  7* 
for  i  <  fc  <  j. 

Assume  that  0  <  t  <  1;  then  p*  satisfies  ^  iff  either  (1)  p*  )=  i>i  for  all 
i  with  7<  n  (t  +  7)  0,  or  (2)  p‘  ^  Vi  A  V-i  for  some  i  with  7i  n  (t  +  7)  0 

and  p^  )=  Vi  for  all  i  <  i  with  7,  n  (t  +  7)  0,  or  (3)  p*'  |=  t&J  for  some 

t  <  t'  <  t  +  7.  In  either  of  the  first  two  cases,  7'  witnesses  under  p*; 
the  third  case  is  equivalent  to  p*  satisfying  the  formula  0((j,oo)n(</)  ^a-  If  7' 
witnesses  r/>  under  p*,  then  p*  |=  V  by  Lemma  4.1.  ■ 

4.4  Type-1  and  type-2  formulas 

Now  we  can  be  more  precise  about  how  we  will  construct  the  tuned  au¬ 
tomaton  that  accepts  exactly  the  models  of  To  check  the  truth  of 
type-1  and  type-2  subformulas  of  the  automaton  guesses  corresponding 
witnessing  intervals.  The  bomidaries  of  a  witnessing  interval  are  marked 
by  clocks;  a  clock  interval  is  a  bounded  interval  that  is  defined  by  its  type 
(e.g.,  left-closed  and  right-open)  and  a  pair  of  clocks.  Given  a  time  t  and 
a  clock  interpretation  7,  the  clock  interval  C  =  [*iy]i  for  two  clocks  x  and 
y,  stands  for  the  closed  witnessing  interval  (t  -I-  if  -  7(x),  t  +  K-  7(y)): 
clock  interval  C  =  (x,  y)  stands  for  the  corresponding  half-open  interval,  etc. 
We  write  if  -  C  for  the  interval  {if  -  7(x),  K  -  7(y)},  for  any  type  of  dock 
interval  C  =  {x,y}. 

For  simplicity,  let  us  consider  a  type-1  subformula  ^  of  the  form 
The  automaton  resets,  nondeterministicaUy,  any  of  its  docks  at  any  time. 
When  guessing  a  witnessing  interval  I',  it  writes  the  prediction  that  “the 
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clock  interval  C  -  witnesses  the  formula  into  its  memory.  If 

the  clock  z  was  reset  at  time  fj,  and  y  was  reset  at  time  4  >  <i,  then 
the  witnessing  interval  guessed  is  V  —  {tj  iif}*  To  check  the  the 

truth  of  the  temporal  formula  xjf  at  time  t  >  h,  the  automaton  needs  to 
verify  that  its  guess  /'  is  indeed  a  witness.  The  condition  /'O  (t  -h  0 
translates  to  verifying  the  clock  constraint  (/f  -  C)  H  /  ^  0.  It  remains  to 
be  checked  that  is  satisfied  throughout  the  witnessing  interval  /';  that 
is,  the  automaton  needs  to  verify  that  rp*  holds  at  all  states  with  the  clock 
constrair4t  0  €  (/iT  ~  C). 

The  Lemmas  4.2  and  4.3  are  the  key  to  constructing  an  automaton  that 
needs  only  finitely  many  clocks.  For  the  type-1  formula  t&i  W/  ^2,  at  most  two 
witnessing  intervals  need  to  be  guessed  per  interval  of  unit  length.  Further¬ 
more,  the  fact  that  the  right  end-point  of  a  witnessing  interval  is  bounded 
allows  the  automaton  to  reuse  every  clock  after  a  period  of  length  r (/)  -i- 1. 
Thus  we  need,  at  any  point  in  time,  at  most  2r(/)  -f  2  active  clock  inter¬ 
vals;  that  is,  clock  intervals  that  stand  for  a  guess  of  a  witnessing  interval 
and,  therefore,  have  to  be  verified  later.  Similarly,  to  check  a  type- 2  for¬ 
mula  xpi  /U  xp2i  we  need,  at  any  point  in  time,  no  more  than  r{I)  -|- 1  active 
clock  intervals.  Consequently,  2K  clock  pairs  suffice  to  check  any  type-1 
subformtila  of  and  K  clock  pairs  suffice  for  any  type-2  subformula  of 

4.5  Type-3  and  type-4  formulas 

Now  let  us  move  to  formulas  of  the  form  O/  tp^  and  □/  xp'  with  I  =  (0,  n)  or 
/  =  (0,n].  Checking  the  truth  of  such  a  formula  is  much  easier  and  can  be 
done  using  a  single  clock. 

Consider  the  t3q)e-3  formula  xp  —  Ojxp*,  Whenever  the  automaton  needs 
to  check  that  xp  holds,  say  at  time  t,  it  starts  a  clock  x  and  writes  the 
corresponding  proof  obligation  into  its  memory  —  to  verify  that  xp^  holds  at 
some  later  state  with  the  clock  constraint  x  €  /.  The  obligation  is  discharged 
as  soon  as  an  appropriate  V^^-state  is  found.  If  the  automaton  encounters 
another  V^-state  in  the  meantime,  at  time  >  t  before  the  obligation  is 
discharged,  it  does  not  need  to  check  the  truth  of  xp  separately  for  this  state. 
This  is  because  if  there  is  a  ^'-state  after  time  t!  within  the  interval  1+1^  then 
both  p*  Oixp^  and  ^  Once  the  proof  obligation  is  discharged, 

the  clock  X  can  be  used  again.  Thus  one  clock  suffices  to  check  the  formula 
xp  as  often  as  necessary. 

The  described  strategy  works  for  checking  the  truth  of  xp  at  singular 
intervals.  There  is,  however,  a  subtle  problem  with  this  method  when  the 


truth  of  xl?  during  open  inter^'als  needs  to  be  checked,  as  is  illustrated  by  the 
following  example.  Consider  the  timed  state  sequence 

({}.[0,0])  -  ({},(0,i))  {{p}Ah^]); 

it  satisfies  the  formula  0{o,i)P  at  all  times  t  €  (0, 1).  To  check  the  truth  of 
O(04)P  during  the  open  interval  (0, 1),  the  automaton  starts  a  clock  x  upon 
entry,  at  time  0.  However,  the  proof  obligation  that  p  holds  at  some  later 
state  with  the  clock  constraint  x  €  /  can  never  be  verified.  On  the  other 
hand,  if  the  automaton  were  to  check,  instead,  the  truth  of  the  formula 
0(0,1]  P  during  the  interval  (1,0),  then  our  strategy  works  and  the  corre¬ 
sponding  proof  obligation  can  be  verified,  because  there  is  a  p-state  while 
X  €  (0,1]  holds.  Furthermore,  observe  thatthe  validity  of  O(o,i]p  throughout 
the  open  interval  (0, 1)  implies  that  O(o,i)p  is  also  true  throughout  (0, 1). 
In  general,  the  following  lemma  holds: 

Lemma  4,4  (Weakening  type-3  formulas)  Lei  rj}  and  ^  be  ihe  iype-S 
MITL-/ormtt/as  Ojx}?*  and  0/u{r(/)}t^'',  respectively.  For  every  (tmed  slate 
sequence  p  =  (o‘,r)  and  open  interval  /»  in  r,  p*  rp  iff  p*  [=  rp. 

Proof  of  Lemma  4.4  First  note  that,  for  all  t  >  0,  if  ^  is  satisfied  by 
then  ip  is  also  satisfied  by  p*.  This  is  because  7  C  /  U  {^*(7)}^ 

Now  consider  an  open  interval  7»  and  assume  that  p*  If  7  is  right- 
closed,  then  xp  sz  xp.  So  suppose  that  7  is  right-open,  and  let  (  €  1%*  Since 
li  is  open,  there  exists  some  t'  €  1%  with  if  <i.  Since  p**  ^  there  exists 
some  j  >  t  such  that  0  (t'  -f  (7  U  {r(7)}))  ^  0  and  p^  [=  xp\  It  follows  that 
Ij  n  (t  -f  7)  7^  0  and,  hence,  that  p*  |=  ■ 

Consequently,  to  check  the  truth  of  a  type-3  formula  xp  during  an  open 
interval,  it  suffices  to  check  the  truth  of  the  weaker  formula  xp.  Accord¬ 
ingly,  the  automaton  we  construct  writes  only  the  proof  obligation  that 
corresponds  to  checking  xp  into  its  memory. 

For  checking  a  type-4  formula  of  the  form  xp  ^  Oj  xp\  the  situation  is 
S3rmme;ric.  The  automaton  uses  also  a  single  clock  x  to  check  this  formula. 
Whenever  the  formula  xp  needs  to  be  verified,  say  at  time  t,  the  automa¬ 
ton  starts  the  clock  x  with  the  proof  obligation  that  as  long  as  the  clock 
constraint  x  €  7  holds,  so  does  xp*.  The  obligation  is  discharged  as  soon  as 
X  >  7.  If  the  automaton  encotmters  another  t^-state  within  the  interval  t-)-7, 
say  at  time  it  simply  resets  the  clock  x,  and  thus  overwrites  the  previ¬ 
ous  proof  obligation.  This  strategy  is  justified  by  the  observation  that  if  xp* 
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holds  throughout  the  inter\'al  (fjtT  aud  ^  then  also  p*  Dj\p\ 

Once  the  proof  obligation  is  discharged,  the  clock  z  can  be  reused  to  check 
fp  again  whenever  necessary. 

As  in  the  case  of  type*3  formiilas,  we  need  to  be  more  carcM  when 
checking  V'  during  open  intervals.  For  the  type-4  formula  tp  -  Dj  let  ip 
be  the  formula  D/-.{r(/)}  From  Lemma  4.4  and  duality,  it  follows  that 
for  every  timed  state  sequence  p  =  (<r,r),  if  A  is  open,  then  p*  iff 
p*  1=  Ip.  Hence  to  check  the  truth  of  ip  during  an  open  interval,  it  suffices 
again  to  check  the  truth  of  the  weaker  formula  ip.  Accordingly,  only  a  proof 
obligation  for  ip  is  set  up.  This  is  because  the  corresponding  clock  z  is 
started  at  time  r(/i),  and  for  ip  to  hold  during  the  open  interval  /*,  tp^  need 
not  hold  at  time  r{Ii)  +  r(/),  even  if  /  is  right-closed. 

4.6  Constructing  the  timed  automaton 

Now  let  ns  define  the  timed  automaton  formally.  For  each  temporal 
subformula  of  <p  of  type-1,  the  automaton  has  2K  pairs  of  clocks.  These 
clocks  always  appear  in  pairs,  to  form  clock  intervals.  FVom  any  pair  of 
clocks  z  and  y,  four  different  clock  intervals  can  be  formed:  (*,y),  [*jy)> 
(*,y],  and  [«,y].  According  to  Lemma  4.2,  for  checking  type-1  formulas  we 
need  only  singular  and  open  witnessing  intervals.  Thus  associated  with  each 
type-1  subformula  ^  of  0  we  have  4K  clock  inter*v^s;  they  are  denoted  by 
Ci{ip)r  •  •CakW*  For  each  type-2  subformula  of  (p  the  automaton  uses  K 
clock  pairs  giving  4iif  clock  intervals.  For  subformulas  ip  of  tjrpes  3  and  4, 
the  automaton  needs  one  clock  per  formula. 

In  addition  to  these  clocks,  we  use  the  clock  to  enforce  that  the 
runs  of  have  alternate  singular  and  open  intervals. 

Given  the  MITL-formula^,  we  define  its  closure  set  Closure{^)  to  consist 
of  the  following  items: 

1.  All  subformulas  of 

2.  For  each  type-2  formula  ipi  /U  02  in  the  closure  set,  the  type-3  for¬ 
mula  O(o,oo)n(</)02J  for  type-3  formula  ip  s:  Ojip^  m  the  closure 
set,  the  type-3  formiala  tp  =  O/u{r(/)}0^  Mid  fer  each  type-4  formula 
0  =  0/  0'  in  the  closure  set,  the  type-4  formula  0  = 

3.  For  each  type-1  formula  0  in  the  closure  set,  the  clock  intervals  Ci(0), 
•  ••C4jr(0);  for  each  type-2  formula  ip  in  the  closure  set,  the  cloA 


inten-als  Ci(V'),  •  •  -C^kW',  for  type-3  and  type-4  formula  ip 
in  the  closure  set,  the  clock  x^. 

4.  For  each  clock  interval  C  =  Cj{ip)  in  the  closure  set,  where  ip  is 
V’l  V’l  or  /U  V’Ji  »ii  dock  constraints  of  the  form  0  <  {K  —  C), 
0  C  (K -C),0  =  {K  -  C),  {K -C)  =  i,  I  C  (K  -  C),  and 
{K  -  C)D  I  #  0;  and  for  each  dock  a:^  in  the  dostire  set,  where 
Ip  is  Oiip'  or  □/  Ip',  the  dock  constraints  *  €  /  and  z  >  1. 

We  write  0  C  {K  -  C)  short  for  {0}  C  (if  -  C).  It  should  be 
dear  that  all  of  these  conditions  are  indeed  clock  constraints.  For 
instance,  the  condition  0  C  (if  -  [z, »))  stands  for  the  dock  constraint 
I  <  if  A  y  >  if;  the  condition  0  =  (if  -  [*,y))  is  never  satisfied. 

5.  The  dock  constraint  ^$inp  “  0* 

Note  that  the  number  of  subformulas  of  ^  is  0{N)  and  the  number  of  docks 
is  0(if )  for  each  subformula  of  (p.  Hence  the  size  of  the  dosure  set  ClosuTe{4^) 
is  0{N  K). 

The  states  of  the  desired  automaton  will  be  subsets  of  Closure{<p). 
We  need  to  consider  only  those  subsets  of  Closure{<p)  that  satisfy  certain 
local  consistency  constraints.  Whenever  the  automaton  is  in  state  a,  the 
formulas  in  s  indicate  which  subformulas  of  <p  stfe  true.  Accordingly,  a  state 
a  C  Closure{(p)  is  initial  iff  both  <p  and  =  0  are  in  a,  and  for  each  state 
a  the  propositional  constraints  ^(a)  are  detoed  such  that  p  €  p{»)  iff  p  €  a 
for  all  atomic  propositions  p  £  P. 

The  dock  constraints  v{a)  are  the  conjunction  of  all  dock  constraints 
in  a.  The  dock  intervals  in  a  indicate  which  dock  intervals  are  currently 
active  amd  represent  witnessing  intervals  for  type*l  and  type-2  formulas;  the 
docks  in  a  indicate  which  docks  are  currently  active  and  represent  proof 
obligations  for  type-3  and  type-4  formulas. 

The  transitions  of  A4*  are  all  triples  a-^a'  that  satisfy  certain  global 
consistency  criteria.  Both  the  local  and  the  global  consistency  conditions 
are  defined  in  the  following  catalog.  For  every  state  a  C  Closurt{4>)  and 
every  transition  a-^a'  with  source  state  a: 

Logical  consistency 

•  For  each  atomic  proposition  p£  P,  predsdy  one  of  p  and  -'p  is  in  a. 

•  If  the  formula  ipx  A  is  in  a,  then  both  ipi  and  ip2  are  in  a. 
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•  If  the  formiila  \l>\  V  ^2  is  in  a,  then  either  V'j  or  ^2  is  in  J. 

These  conditions  ensure  that  no  state  contains  subfonnulas  of  ^  that  are 
mutually  inconsistent. 

Timing  consistency 

•  s  contains  at  most  one  of  the  clock  constraints  0  <  -  C),  0  C 

{K  -  C),  0  =  (if  “  C),  and  (if  -  C)  ~  0  for  each  clock  intei^  C. 
Furthermore,  no  two  clock  intervals  in  s  share  clocks;  for  instance,  s 
does  not  contain  both  the  clock  intervals  (£,y)  and  [c,y). 

•  s  contains  at  most  one  of  the  clock  constraints  £  I  and  x^>  I  for 
each  t}T)e-3  or  type-4  formula 

•  If  s  contains  =  0,  then  x^ing  ^  A.  If  s  does  not  contain  x^g  ^  0, 

then  Xting  €  A  and  s'  contains  0. 

These  conditions  guarantee  that  no  state  contains  clock  constraints  that 
are  mutually  inconsistent.  We  say  that  a  state  a  is  singular  iff  it  contains 
Xging  =  0;  otherwise  s  is  open.  The  last  clause  of  the  above  conditions 
ensures  that  singular  and  open  states  alternate  along  any  run. 

Type-1  formulas 

Consider  a  type-1  formida  ip  ^  ipiUiil>2  in.  the  closure  set. 

Firstly,  if  is  in  s,  then  there  is  some  clock  interval  C  =  Cj{ip)  such 
that 

•  (if  -  <7)  n  J  7^  0  IS  in  s,  and 

•  either  C  is  in  s,  or  s  is  singular  and  Cis  in  s'  and  the  clocks  associated 
with  C  are  not  in  A. 

The  first  condition  checks  that  the  interval  if -C  is  an  appropriate  candidate 
for  witnessing  the  formula  ip.  The  second  condition  activates  the  clock 
interval  C  to  represent  a  witnessing  interval  for  ip. 

Secondly,  if  some  clock  interval  C  =  Cg{ip)  is  in  s,  then 

•  if  either  0  =  (J5f  -  C)  or  0  C  (Jf  -  C)  is  in  s,  then  ip2  is  in  s,  and 

•  if  either  0  <  (if  -  C)  or  0  C  ( A*  -  C)  is  in  s,  then  ^  is  in  s,  and 
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•  the  clocks  associated  with  C  are  not  in  A  and  either  C  or  {K  —  C)  =  0 
is  in 

The  first  two  conditions  verify  that  the  active  clock  interval  C  represents 
indeed  a  witness  for  the  formula  The  final  condition  keeps  the  clock 
inter\'al  C  active  as  long  as  necessary. 

Suppose  that  these  conditions  are  satisfied  along  a  run  r  and  the  formula 
^  is  in  a  state  at  time  t.  Also  assume  (the  induction  hypothesis)  that,  along 
the  run  r,  whenever  a  state  at  time  t'  contains  a  subformula  V*'  of  V*,  then 
p*’  j=  rj;'.  A  clock  interval  C  =  C;(V')  is  activated  at  time  t.  It  is  not  hard 
to  show  that  the  interval  t  +  K  -C  is&  witnessing  interval  for  V  under  pj. 
By  Lemma  4.1,  it  follows  that  p‘  |= 

Conversely,  H  p*  \=  then  there  is  a  run  r  that  satisfies  all  conditions. 
This  is  because,  by  Lemma  4.2,  the  automaton  can,  at  time  t,  either  share 
an  already  activated  clock  interval  Cj(V’)  or  has  enough  clocks  to  activate 
an  unused  clock  interval  Cj{^). 

Type>2  formulas 

Consider  a  type-2  formula  ^  /U  ^>2  hi  the  closure  set. 

Firstly,  if  V*  is  in  s,  then  either 

•  O(o.oo)n{</)V'2  is  in  J 

or  there  is  some  clock  interval  C  =  Cj{rl>)  such  that 

•  /  C  (JC  —  C)  is  in  s,  and 

•  either  C  is  in  s,  or  a  is  singular  and  C  is  in  s'  and  the  clocks  associated 
with  C  are  not  in  A. 

If  ^(o,ee)n(</)ih  holds  then  so  does  ifi.  The  second  clause  corresponds  to 
guessing  a  witness.  The  first  condition  checks  that  the  interval  if  —  C  is  an 
appropriate  candidate  for  witnessing  the  formula  The  second  condition 
activates  the  clock  interval  C  to  represent  a  witnessing  interval  for  V'- 
Secondly,  if  some  clock  interval  C  =  is  in  s,  then 

•  if  either  0  =  (if  -  C)  or  0  C  (if  -  C)  is  in  s,  then  is  in  s,  and 

•  either  ^  is  in  s,  or  the  clocks  associated  with  C  are  not  A  and  either 
C  or  (jfiT  -  C)  =  0  is  in 


31 


These  conditions  ensure  that  the  active  clock  interval  C  represents  indeed  a 
witness  for  the  formula  rp  and  that  it  is  kept  active  as  long  as  necessary. 

Soundness  and  completeness  of  these  conditions  follow  by  the  Lem¬ 
mas  4.1  and  4.3. 

Type-3  formulas 

Consider  a  type-3  formula  xp  =  Ojxp*  in  the  clostue  set. 

Firstly,  if  is  in  a,  then  either 

•  a  is  singular  and  or 

•  a  is  open  and  I  is  right-open  and  ^  is  in  a,  or 

•  3  is  open  and  I  is  right-closed  and  is  in  3. 

These  conditions  activate  a  clock  to  represent  a  proof  obligation.  Lemma  4.4 
justifies  the  decision  to  check,  if  3  is  open,  instead  of  rp  the  weaker  type-3 
formula  xp. 

Secondly,  if  z^  is  in  3,  then 

•  z^  €  /  is  in  3,  and 

•  either  xp*  is  in  3,  or  z^  is  in  s*  and  z^  ^  A. 

These  conditions  verify  the  proof  obligation  that  is  represented  by  the  clock 
z^  and  keep  it  active  as  long  as  necessary. 

Type-4  formulas 

Consider  a  type-4  formula  xp  —  Djxp^  in  the  closure  set. 

Firstly,  if  ^  is  in  3,  then  either 

•  3  is  singular  and  z^  €  s'  and  z^  €  A,  or 

•  3  is  open  and  I  is  right-dosed  and  ^  is  in  s,  or 

•  s  is  open  and  I  is  right-open  and  z^  €  s  and  z^  €  s'  and  z^  €  A. 

These  conditions  activate  a  dock  to  represent  a  proof  obligation,  and  reset 
it,  as  was  justified  in  the  previous  subsection.  Recall  that  if  s  is  open,  then 
instead  of  checking  xp^  it  suffices  to  check  the  weaker  type-4  formula  xp* 
Secondly,  if  z^  is  in  s  then 
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•  is  in  a,  and 

•  either  or  x  >  /  is  in  a'. 

The  first  condition  verifies  the  proof  obligation  that  is  represented  by  the 
clock  and  the  second  condition  keeps  it  active  as  long  as  necessary. 

Type*  5  formulas 

Consider  a  t)np€’5  formula  ^  the  closure  set.  Whenever  is  in 

a,  then  either 

•  a  is  singular  and  xp  €  a',  or 

•  a  is  open  and  \p\  is  in  a,  and  either  62  is  in  a  or  xp2  is  in  a'  or  both 
and  ^  are  in  a'. 

These  conditions  ensure  that  tmconstrained  until  formulas  are  propagated 
correctly  (remember  that  singular  and  open  intervals  alternate). 

Type-6  formulas 

Consider  a  type-6  formula  xp  ^  Dxp^  in  the  closure  set.  Whenever  ^  is  in  a, 
then  either 

•  a  is  singular  and  xp  €  a',  or 

•  a  is  open  and  xp*  £  s  and  both  xp*  and  xp  are  in  a'. 

These  conditions  guarantee  that  unconstrained  cdxvays  formulas  are  propa¬ 
gated  forever. 

This  concludes  the  definition  of  the  timed  automaton  The  runs  of 
Mif,  are  defined  as  before.  W^e  put,  however,  additional  fairness  requirements 
on  the  timed  state  sequences  that  are  generated  by  A  run  r  is  called 
accepting  iff  for  every  t3pe-5  formula  xp  of  the  form  xpi  Uxp2/d  xp  isin  some 
state  a  along  r,  then  xp2  is  in  some  later  state  a^ 

The  following  main  lemma  states  the  correctness  of  our  construction  by 
relating  the  accepting  runs  of  to  the  models  of  <p. 

Lemma  4.5  (Correctness  of  Af^)  A  timed  state  sequence  p  satisfies  an 
MlTL-formxda  ^  iff  the  timed  automaton  has  an  accepting  run  r  xvith 
P-pT^ 
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Proof  of  Lemma  4.5  It  can  be  shown,  by  induction  on  the  structure  of 
<t>,  that  given  an  accepting  nin  r  of  if  a  subfonnula  ^  of  ^  is  in  a  state 
5  in  r  at  time  t  C  R^,  then  pi  ^  rp.  We  have  outlined  the  crucial  arguments 
for  the  six  interesting  cases  of  temporal  subformiilas  above. 

Conversely,  given  a  ^fine  model  p  of  ip  with  alternating  singular  and 
open  intervals,  we  can  construct  an  accepting  nm  r  of  M^f,  such  that  p  = 

The  Lemmas  4.2  and  4.3  instruct  us  how  to  use  the  limited  number  of 
available  clocks  to  mark  witnessing  intervals.  ■ 

This  res\ilt  yields  algorithms  for  checking  the  satisfiability  and  validity 
of  the  given  MITL-formula  To  check  satisfiability,  we  first  construct  the 
timed  automaton  and  then  we  use  the  algorithm  that  checks  whether 
has  any  accepting  run  to  test  if  ^  has  a  model.  Similarly,  ip  is  valid  iff 
M^4,  has  no  accepting  run. 


4.7  Complexity  of  MITL 

We  conclude  this  section  by  showing  that  our  decision  procedure  for  MITL 
is  in  EXPSPACE,  and  that  this  is  optimal,  because  the  decision  problem  for 
MITL  is  EXPSPACE-complete. 

Recall  that  the  size  |C7osure(^)|  of  the  closure  set  of  ip  is  0{N  -  K)^ 
where  N  is  the  number  of  atomic  propositions,  boolean  connectives,  and 
temporal  operators  in  and  if  —  1  is  the  product  of  the  largest  constant 
in  ^  and  the  least  common  denominator  of  all  constants  in  ip.  Clearly, 
\aosure{-^<P)\  =  0{N-K)  as  well. 

Hence  the  number  of  states  in  and  is  0(2^'^).  Consequently, 
the  description  of  can  be  given  in  space  polynomial  in  N^K;  that  is,  in 
space  exponential  in  the  length  of  assuming  binary  encoding  of  all  interval 
end-points.  The  emptiness  problem  for  a  timed  automaton  M  can  be  solved 
in  space  polynomial  in  the  length  of  the  description  of  M.  It  follows  that 
the  validity  of  ip  can  be  decided  in  space  polynomial  in  N •Ky  that  is,  in 
EXPSPACE. 

The  lower  bound  of  EXPSPACE  for  MITL  can  be  shown  along  the  lines 
of  the  proof  of  the  EXPSPACE-hardness  of  the  real-time  logic  MTL  [AH90]. 

Theorem  4.1  (Complexity  of  MITL)  The  decision  problem  of  MITL  is 
EXPSPACE-comptete.  Furthermore,  we  have  an  EXPSPACE algoriihm  that 
solves  this  problem. 
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5  Model  Checking 

Model  checking  is  a  powerful  and  well-established  technique  for  the  auto¬ 
matic  verification  of  finite-state  systems  (see,  for  example,  [BCM“^90]);  it 
compares  a  temporal-logic  specification  of  a  system  against  a  state-transition 
description  of  the  system. 

In  the  qualitative  case,  the  system  is  modeled  by  its  state-transition 
graph,  also  known  as  Kripke  structure,  and  the  specification  may  be  pre¬ 
sented  as  a  formula  of  the  propositional  linear  temporal  logic  PTL  [LP84]. 
For  real-time  systems,  model  checking  algorithms  have  been  developed  for 
linear  temporal  logics  under  a  digiteVclock  interpretation  of  time  [AH89, 
AH90,  HLP90]  as  well  as  for  branching-time  logics  under  a  continuous  inter¬ 
pretation  of  time  [ACD90,  Lew90].  Using  our  results  about  MITL,  we  can 
present  a  real-time  verification  procedure  that  checks  linear  specifications 
under  a  continuous  model  of  time. 

We  model  a  real-time  system  by  a  timed  automaton  M  and  give  the 
specification  as  a  formtila  ^  of  MITL.  Hence  the  model  checking  problem  is 
to  decide  whether  or  not  the  automaton  Af  satisfies  the  specification  <f>: 

Ad  [=  ^ 

Our  construction  for  testing  the  satisfiability  of  MITL- formulas  can  be 
used  to  develop  an  algorithm  for  model  checking.  The  first  step  is  to  con¬ 
struct  a  timed  automaton  M^ti>  such  that  its  accepting  runs  precisely  cap¬ 
ture  the  models  of  the  negated  formula  ^(f>:  for  every  timed  state  sequence 
p,  has  an  accepting  run  r  with  pr  —  piff  p]^ 

The  model  checking  question  can,  then,  be  reformulated  as  follows: 
At  ^  ^  iff  no  timed  state  sequence  is  generated  by  both  M  and  Ad-,^.  The 
next  step  in  the  model  checking  algorithm  is  to  construct  a  timed  automaton 
Ad'  that  is  the  product  of  Ad  and  Ad-,^;  a  timed  state  sequence  is  generated 
by  Ad'  iff  it  is  generated  by  both  Ad  and  Ad^^. 

The  product  construction  for  timed  automata  presented  in  [AD90]  can 
be  easily  modified  to  our  version  of  timed  automata.  We  assume  that  the 
clock  sets  of  the  component  automata,  Ad  and  Ad-,^,  are  disjoint.  The  set 
of  clocks  of  Ad'  is  the  union  of  the  clocks  of  the  component  automata.  The 
states  of  Ad'  are  of  the  form  (s,s'),  where  s  is  a  state  of  Ad  and  s'  is  a 
state  of  Ad^  and  both  s  and  s'  agree  on  the  assignment  of  truth  values  to 
proposition^.  The  dock  constraints  for  (s,s')  are  the  conjunctions  of  the 
dock  constraints  for  s  and  s'.  For  any  pair  of  transitions  ti— and 
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in  M  and  respectively,  the  product  automaton  has  three  transitions: 

(u,u')  ^  (v,u'),  and  Thus  the  tran¬ 

sitions  of  simulate  the  joint  behavior  of  the  two  component  automata. 
The  acceptance  conditions  of  the  individual  automata  are  handled  as  in  the 
pioduct  construction  for  (untimed)  a;-automata. 

Hence  we  have  reduced  the  model  checking  problem  to  the  emptiness 
question  for  timed  automata:  M  (f>  iS  has  no  accepting  runs.  The 
size  of  /A*  is  polynomial  in  the  sizes  of  M,  and  Consequently,  the 

description  of  is  exponential  in  the  length  of  (f>,  and  polynomial  in  the 
length  of  the  description  of  M.  Since  the  emptiness  for  timed  automata  can 
be  solved  in  PSPACE,  it  follows  that  the  model  checking  proble  can  be 
solved  in  EXPSPACE. 

As  for  all  linear  temporal  logics,  the  model  checking  question  for  MITL 
is  no  simpler  than  the  satisfiability  question:  a  formula  <t>  is  unsatisfiable 
iff  the  universal  timed  automaton,  which  generates  all  possible  timed  state 
sequences,  satisfies  Thus  EXPSPACE-hardness  of  satisfiability  implies 
EXPSPACE-hardness  of  model  checking.  The  following  theorem  follows: 

Theorem  5.1  (Model  checking)  The  problem  of  checking  if  a  timed  au¬ 
tomaton  Ai  satisfies  an  MlTlj-formula  <f>  is  EXPSPACE-complete. 

The  time  complexity  of  the  model  checking  algorithm  is  polynomial  in 
the  qualitative  part  of  the  system  description,  exponential  in  the  qualitative 
part  of  the  MITL- specification,  exponential  in  the  timing  part  of  the  system 
description,  and  doubly  exponential  in  the  timing  part  of  the  specification. 
Compared  to  this  the  model  checking  algorithm  for  PTL  [LP84]  is  polyno¬ 
mial  in  the  size  of  the  Kripke  structure  and  exponential  in  the  size  of  the 
specification. 

Thus  moving  to  real-time  gives  an  additional  exponential  blow-up.  This 
blow-up  seems,  however,  unavoidable  for  formalisms  for  quantitative  reason¬ 
ing  about  time.  It  occurs  even  in  the  simplest  case  —  s3mchronous  processes 
that  are  clocked  by  a  digital  clock  —  in  which  we  can  model  time  by  a  dis¬ 
crete  domain  and  identify  next-state  with  next-time  [EMSS89,  AH90]. 
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